Activity Feed
- Posted Re: How to use 2 columns in one join search on Splunk Search. 10-25-2023 01:08 AM
- Karma Re: How to use 2 columns in one join search for gcusello. 10-25-2023 01:08 AM
- Posted How to use 2 columns in one join search on Splunk Search. 10-23-2023 03:41 AM
- Tagged How to use 2 columns in one join search on Splunk Search. 10-23-2023 03:41 AM
- Tagged How to use 2 columns in one join search on Splunk Search. 10-23-2023 03:41 AM
- Tagged How to use 2 columns in one join search on Splunk Search. 10-23-2023 03:41 AM
- Posted Splunk time parse on Splunk Enterprise Security. 10-23-2023 02:21 AM
- Tagged Splunk time parse on Splunk Enterprise Security. 10-23-2023 02:21 AM
- Karma Re: Splunk CIM Network Traffic issue with the field action for gcusello. 06-20-2023 07:29 AM
- Karma Re: Splunk CIM Network Traffic issue with the field action for gcusello. 06-20-2023 07:29 AM
- Karma Re: Splunk CIM Network Traffic issue with the field action for gcusello. 06-20-2023 07:29 AM
- Karma Re: Splunk CIM Network Traffic issue with the field action for gcusello. 06-20-2023 07:29 AM
- Karma Re: Splunk CIM Network Traffic issue with the field action for gcusello. 06-20-2023 07:29 AM
- Karma Re: Splunk CIM Network Traffic issue with the field action for gcusello. 06-20-2023 07:29 AM
- Karma Re: Splunk CIM Network Traffic issue with the field action for gcusello. 06-20-2023 07:29 AM
- Karma Re: Splunk CIM Network Traffic issue with the field action for gcusello. 06-20-2023 07:29 AM
- Karma Re: Splunk CIM Network Traffic issue with the field action for gcusello. 06-20-2023 07:29 AM
- Karma Re: Splunk CIM Network Traffic issue with the field action for gcusello. 06-20-2023 07:29 AM
- Karma Re: Splunk CIM Network Traffic issue with the field action for gcusello. 06-20-2023 07:28 AM
- Karma Re: Splunk CIM Network Traffic issue with the field action for gcusello. 06-20-2023 07:28 AM
Topics I've Started
Subject | Karma | Author | Latest Post |
---|---|---|---|
0 | |||
0 | |||
0 | |||
0 |
10-23-2023
03:41 AM
Hi, I have a query that trigger when a user has been added to a specific types of groups. The query depends on lookup with 2 columns inside (one for group_name, Another for Severity). I want to find any event of adding to one of the monitored groups, But also to enrich my final table with the severity right next to the group_name. I have tried to resolve this using: | join type=left group_name [| inputlookup my_list.csv] | where isnotnull(Severity) But somehow only 2 groups with low severity is being found even though all the groups in the list has its own severity. How can I managed to make my table show the group with its severity?
... View more
10-23-2023
02:21 AM
Hi, Splunk usually takes the log time event (_time) and parse it to: date_hour, date_mday, date_minute, date_month, date_second, date_wday, date_year I have found that some of our indexes does not contain this parse only the _time field. What may cause this issue? In addition, I am not sure but I have found something related to "DATETIME_CONFIG = /etc/datetime.xml" might be a good point not much on the internet that explain pretty well how to resolve this. Would appreciate your help here 🙂
... View more
- Tags:
- time
Labels
06-20-2023
07:18 AM
Hi @gcusello, I want to take your very much for your help! We have found the issue, Apparently our previous Integration gut was configured the value action on this index however configured it on the Source instead of sourcetype, What made me to think that the system related to that index is giving us 2 fields of action (Action & action). I was told that when you configure the calculated field using source it will be stronger then configure it on sourcetype. since we had the same calculated field on source and on sourcetype I was only see the old configuration that was not matched with your suggestions here. In the minute that ?I have deleted the old configuration that was depended on the source of the index every thing started to work! Anyway thank a lot as mentioned above I really appreciate it! Eyal
... View more
06-19-2023
05:31 AM
Hi @gcusello, Can you please provide me the steps how do I use the Add field feature directly in the data Model? I tried to find it without any success, I would like try this solution before we give up 🙂 Thanks!!
... View more
06-19-2023
12:15 AM
Hi @gcusello, I have tried what you have suggested I don't see it is actually works.. I see the Action_Test works perfectly I think the fact that we already have a value called action is the reason why it breaks, Do you think it is possible to be the reason? Thanks, Eyal
... View more
06-18-2023
01:16 AM
Hi @gcusello , Can you please explain how is it supposed to help in our case? under what value should I calculate this fields? action?
... View more
06-18-2023
12:07 AM
Hi @gcusello, I have tried all you have suggested until now and unfortunately its still not works 😞 Do you have any other suggestion maybe?
... View more
- Tags:
- hi
06-15-2023
01:32 AM
Hi @gcusello, sorry for not replying I had an issue to sign in, In the last 2 days. I did made the coalesce that you have sent and it still not works. This is the calculated fields: Looks like the actual issue is the fact the the field action already exist and therefore can not calculate this field as supposed to be, Since the attempt of Action_Test did worked.
... View more
06-13-2023
07:51 AM
I see, Good to know 🙂 Yeah I have added this as a calculated field still not works..
... View more
06-13-2023
05:45 AM
Hi @gcusello, First of all I really appreciate your help in this case! Secondly, I have tried what you meant; It is working if i query this from the command line. However, Is not working if I put it as a calculated field that is my major problem If I want my index to be complied with the Data Model (Traffic Network).
... View more
06-13-2023
01:05 AM
Hi @gcusello, The value indeed exist already from the vendor itself he provide to values "Action" and "action". The Action consist 100% of the values and action consists only 3%, There fore I wanted to transfer all the values to be in the action field as supposed to be according to the Network Traffic Data Model.
... View more
06-13-2023
12:33 AM
Hi @gcusello, I have tried what you meant in the previous suggest unfortanually this did not worked as well, I have created additional parameter called Action_Test to see if the name of the parameter is might be the issue and this are the results: Seems like the source issue comes from the name itself, cause your query defiantly works but not when I try to add this to the action field.. Do you might have another idea how to resolve this case? 🙂
... View more
06-12-2023
03:03 AM
Hi Gcusello, I have changed it and waited for like 30 minutes and still not works unfortunately. Here is the chart that it currently generates: You can see that the calculated field is not works (the permissions are global it should work)
... View more
06-12-2023
02:20 AM
Hi, I have adjusted one of the FWs to be CIM compline. I have 2 type of action parameters:
one called "Action" that contains 100% of the values.
one called "action" that contains 3% of the values.
I created a query in the calculated fields that should translate all the values in the Action field to the strings allowed and blocked as supposed to be in the Network Traffic Data Model. Link: https://docs.splunk.com/Documentation/CIM/5.1.1/User/NetworkTraffic The query is: case(like('Action',"%alert%"),"allowed",like('Action',"%allow%"),"allowed",like('Action',"%drop%"),"blocked",like('Action',"%reset-both%"),"blocked",like('Action',"%block-url%"),"blocked",like('Action',"%deny%"),"blocked")
It works when I query this in the SPL command line however is not works when it rans as a calculated field. Does Someone familiar with this issue? I will really appreciate your help 🙂
... View more
Labels
- Labels:
-
data model
02-19-2023
06:35 AM
Hi PickleRick (Very Nice Name), I see what you mean let me check this and will update ASAP if it worked 🙂
... View more
02-19-2023
05:11 AM
Hi Splunk Community,
I need a Splunk Query that monitors a password change in the DC log source that was not performed by the user from log source X (DC);
Rather to be performed by an automation of the system itself log source Y (Automated Password System).
I want to trigger the search only in case the password change event was received and from that point to search 10 minutes back to see if the trigger was the system itself or an actual user.
Can you please assist 🙂
... View more
Labels
- Labels:
-
transaction